Justice IG finds IT security vulnerabilities

Despite getting high marks for its compliance with computer security
legislation, the Justice Department had major systemic information
technology vulnerabilities and did not fully implement policies and
procedures meant to increase IT security, according to an audit by the
department’s inspector general.

The IG found vulnerabilities
that require immediate attention, including inadequate access controls
and outdated security patches. The IG determined that Justice lacks
effective methodologies for tracking corrective action, applying
departmentwide fixes and maintaining an inventory of devices connected
to the department’s various IT networks, the Dec. 12 report states.
Portions of the document were redacted.

Justice received an
A-plus for its compliance with the Federal Information Security
Management Act (FISMA) in fiscal 2007 on an annual report card released
by Rep. Tom Davis (R-Va.), ranking member of the House Oversight and
Government Reform Committee. However, the department’s focus on meeting
FISMA requirements might have affected its ability to secure its IT
environment, according to the IG’s report.

For the audit, the
Justice IG used data for calendar year 2007 and the report card issued
in May 2008. In response to a draft of the report, Vance Hitch,
Justice’s chief information officer, said the department has taken a
number of steps to bolster IT security since the audit was conducted,
including creating an IT governance structure to support the security
program.

The IG said the department had documented a
comprehensive IT security program, created an IT oversight council and
implemented a tool to track FISMA compliance, but it still lacked an
effective vulnerability management program.

“We are concerned
that the security of the department’s IT systems may be compromised
because of its inability to consistently and systematically mitigate
identified security vulnerabilities,” the IG wrote.

According to
Justice’s fiscal 2007 FISMA report to the Office of Management and
Budget, the department ran 225 IT systems in fiscal 2007, and all of
them were accredited at the end of the fiscal year, the IG’s report
states.

“Although the department is ensuring that it meets FISMA
requirements, it is still responsible for ensuring the security of the
information contained within its IT systems, even if FISMA does not
require a specific remediation step,” the IG wrote. “We believe that a
structured process for monitoring vulnerability remediation would
improve the accuracy of the department’s assessment of the security
controls environment of its IT systems.”

The IG recommended that the department:

•
Establish a structured process for monitoring and tracking the
remediation of critical vulnerabilities identified during monthly scans.

• Ensure that the new monitoring processes conduct a detailed review and analysis of critical vulnerabilities.

• Develop a system to monitor the department’s IT environment in real time.

• Take an inventory of networked devices departmentwide.

In
a written response to the report, Hitch said he agreed with the
recommendations. He also described the steps the department has already
taken or planned to take to address the issues the IG raised.

Hitch
said Justice will deploy a framework to track vulnerabilities and
corrective actions and will implement a tool for monitoring critical
vulnerabilities, Hitch said.

The new framework, set to be
launched by Jan. 31, 2009, will require security and operations reviews
of new vulnerabilities and regular meetings to discuss them, he said.

Hitch
also said Justice has had a system that provides real-time monitoring
of its IT security environment since October 2007, and he considers the
IG's recommendation in that area to be addressed.

Finally, Hitch said Justice i
taking an inventory of all the department’s IT assets, which it will complete by Jan. 31.

The IG said that based on Justice’s responses, the report was considered resolved.

Democrats will vote on an appropriations package to reopen all the federal agencies shuttered during the partial shutdown, but the lack of wall funding will likely means the measure won't get a vote in the Senate.